What feels like a weekly response, vCenter Server Events, should always be your initial starting point in helping you understand the Who, What and When for something occurring within your vSphere environment. There are over 2K+ events that are published out of the box from vCenter Server with hundreds more from 2nd and 3rd party solutions that integrate with vCenter Server.
Combine vCenter Server Events with the power of the VMware Event Broker Appliance (VEBA), you now have a powerful Event-Driven Automation solution that can solve literally a limitless number of use cases, many of which have been shared by existing users found in this document HERE.
Today, I had received a question about auditing customers vSphere Datastore activities and identifying when someone has manually downloaded a Virtual Machine Virtual Disk (VMDK)?
As you probably have guessed, the answer lies within the vCenter Server Events! In fact, you can even see this in the vSphere UI under Events when selecting the vCenter Server inventory object as shown in the screenshot above.
In the example above, I have manually browsed to the vSphere Datastore and downloaded both the VMX and VMDK file for a given VM and we can see this is captured in vCenter Server as DatastoreFileDownloadEvent, which not only includes the Who and the When but details on the What was downloaded. You can easily use the vSphere API to audit for such events or you can leverage VEBA to build real-time notification when such events occur and immediately notify administrators or your security team and even storing this information in a long term archival system for audit and compliance purposes. As I said earlier, the possibilities are truly endless!
In addition to the DatastoreFileDownloadEvent, there are other types of vSphere Datastore activities that you might be interested in and I have put together the list of other vCenter Server Events that map to these activities below for your reference:
- DatastoreFileUploadEvent - Uploading files to vSphere Datastore
- DatastoreFileCopiedEvent - Copying files from vSphere Datastore
- DatastoreFileDeletedEvent - Deleting files from vSphere Datastore
- DatastoreFileMovedEvent - Moving or Renaming files from vSphere Datastore
Hopefully the next time you are trying to understand a change within your vSphere environment, vCenter Server Events will be the first place you check and using the vSphere UI under the Events view, will also help you quickly identify the name of the vCenter Server Event that you can then use to subscribe to and build powerful Event-Driven Automation workflows.
Thanks for the comment!